b"             OFFICE OF INSPECTOR GENERAL\n\n                                  EVALUATION REPORT\n\n                    FISCAL YEAR 2011 EVALUATION OF\n\n                        NEA\xe2\x80\x99S COMPLIANCE WITH THE\n\n                   FEDERAL INFORMATION SECURITY\n\n                            MANAGEMENT ACT OF 2002\n\n                                     REPORT NO. R-12-01\n\n\n                                         November 15, 2011\n\n\n\n\n                                    REPORT RELEASE RESTRICTION\n\nIn accordance with Public Law 110-409, The Inspector General Act of 2008, this report shall be posted on the National\nEndowment for the Arts (NEA) website not later than three (3) days after it is made publicly available with the\napproval of the NEA Office of Inspector General. Information contained in this report may be confidential. The\nrestrictions of 18 USC 1905 should be considered before this information is released to the public. Furthermore,\ninformation contained in this report should not be used for purposes other than those intended without prior\nconsultation with the NEA Office of Inspector General regarding its applicability.\n\x0c                               INTRODUCTION\n\nThe Federal Information Security Management Act of 2002 requires an annual evaluation\nby the Inspector General on its agency\xe2\x80\x99s information security programs and practices.\nThis report presents the results of our evaluation of NEA\xe2\x80\x99s information security program\nand practices for protecting its information technology (IT) infrastructure.\n\n\n                                 BACKGROUND\nThe Federal Information Security Management Act (FISMA) of 2002 was signed into law\non December 17, 2002. It replaced the Government Information Security Reform Act\n(GISRA), which expired in November 2002. The Act requires each federal agency to\ndevelop, document, and implement an agency-wide information security program to\nprovide information security over the operations and assets of the agency. This includes:\n\n   \xe2\x80\xa2   Periodic risk assessments;\n   \xe2\x80\xa2   Policies and procedures that are based on risk assessments;\n   \xe2\x80\xa2   Subordinate plans for providing adequate information security for networks,\n       facilities, information systems, or groups of information systems, as appropriate;\n   \xe2\x80\xa2   Security awareness training to inform employees (including contractors) of the\n       security risks associated with their activities and their responsibilities to comply\n       with those agency policies and procedures designed to reduce those risks;\n   \xe2\x80\xa2   Periodic testing and evaluation of the effectiveness of information security\n       policies;\n   \xe2\x80\xa2   A process for planning, implementing, evaluating, and documenting remedial\n       action to address any deficiencies in the information security policies, procedures,\n       and practices, of the agency;\n   \xe2\x80\xa2   Procedures for detecting, reporting, and responding to security incidents; and\n   \xe2\x80\xa2   Plans and procedures to ensure continuity of operations of the agency\xe2\x80\x99s\n       information systems.\n\nOffice of Management and Budget (OMB) Memorandum M-11-33, dated September 14,\n2011, entitled FY 2011 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, updates instructions to Senior\nAgency Officials for Privacy, Chief Information Officers and Inspectors General for\nreporting their 2011 information to OMB.\n\nThe National Institute of Standards and Technology (NIST), which has the responsibility\nfor developing technical standards and related guidance, has issued numerous\npublications including NIST Publication 800-12 An Introduction to Computer Security:\nThe NIST Handbook. This publication explains important concepts, cost considerations,\nand interrelationships of security controls as well as the benefits of such controls. NIST\n                                            2\n\x0calso has published a Guide for Developing Security Plans for Information Technology\nSystems; Special Publication 800-37, Guide for the Security Certification and\nAccreditation of Federal Information Systems; Special Publication 800-53,\nRecommended Security Controls for Federal Information Systems; and FIPS PUB 199,\nStandards for Security Categorization of Federal Information and Information Systems.\nIn addition, guidance is found in the Government Accountability Office publication,\nFederal Information System Controls Audit Manual (FISCAM).\n\nNEA\xe2\x80\x99s Office of Information and Technology Management (ITM) maintains and\noperates two of the Agency\xe2\x80\x99s three core systems on a local area network (LAN). These\nare the Grants Management System (GMS), which contains information on grant\napplications and the Automated Panel Bank System (APBS), which contains information\non panelists who review grant applications. NEA has contracted with the Department of\nTransportation (DOT) Enterprise Service Center to host its Financial Management\nSystem (FMS) through DOT\xe2\x80\x99s Delphi Financial Management System and the U.S.\nDepartment of Agriculture (USDA) National Finance Center for payroll services. NEA\nhas also contracted with other providers for email, grant application process and its\npersonal identity verification program (PIV). ITM operates support systems for internet\nand intranet services.\n\nThe Chief Information Officer (CIO) is responsible for developing policies and\nprocedures to ensure that security is provided over NEA\xe2\x80\x99s networks.\n\n\n                         OBJECTIVE AND SCOPE\nThe objective of the evaluation was to determine the adequacy of NEA\xe2\x80\x99s information\ntechnology (IT) security program and practices. This included a review of NEA\xe2\x80\x99s IT\nsecurity policies and procedures and privacy management program. It also included\ninterviews with responsible agency officials managing the IT systems, and tests on the\neffectiveness of security controls.\n\n\n         PRIOR EVALUATION AND OTHER REPORTS\nThe NEA Office of Inspector General (OIG) issued a report entitled Fiscal Year 2010\nEvaluation of NEA\xe2\x80\x99s Compliance with the Federal Information Security Act of 2002\n(Report No. R-11-01) dated November 15, 2010. The report had seven (7)\nrecommendations, all of which NEA has implemented corrective actions.\n\nWe considered the results of our Review of NEA\xe2\x80\x99s Control Over Computer-Related\nEquipment, Report No. R-11-02, dated January 25, 2011. The review was to determine\nwhether NEA was processing and reporting computer security incidents in accordance with\nits policies and federal guidance. The report contained eleven recommendations from the\nOIG. As of August 24, 2011, NEA had implemented corrective actions for seven of the\neleven recommendations.\n\n\n                                            3\n\x0cWe also considered the independent risk assessment report dated September 23, 2011.\nNEA contracted with EmeSec Information Assurance to review and assess the security\narchitecture supporting NEA\xe2\x80\x99s enterprise network to meet certification and accreditation.\nThe assessment included reviewing and examining documentation including policies,\nprocedures and plans for compliance with FISMA requirements, OMB policy and\napplicable NIST guidelines. EmeSec also tested security controls by conducting specific\nvulnerability assessment and penetration testing on the system network and applications\nand NEA\xe2\x80\x99s compliance with Federal Desktop Core Configuration (FDCC).\n\n                         EVALUATION RESULTS\nIn June 2011, the Department of Homeland Security (DHS) issued a checklist for use by\nOffices of Inspectors General to assess the level of performance achieved by agencies in\nthe specified program areas during the Fiscal Year 2011 FISMA evaluation period.\n\nThis report presents our completed DHS checklist for the NEA. We determined the level\nof performance (a, b, or c) that the NEA had achieved for each of the program areas\nlisted. NEA program areas were designated as an \xe2\x80\x9ca\xe2\x80\x9d status where we determined that the\nNEA met all the program attributes specified by the DHS. NEA program areas were\ndesignated as a \xe2\x80\x9cb\xe2\x80\x9d status where we determined that one or more conditions listed by the\nDHS needed significant improvement at the NEA. Due to time and resource constraints,\nwe were unable to test all conditions listed by the DHS in the \xe2\x80\x9cb\xe2\x80\x9d sections. Therefore, it\nis possible that more of these conditions exist at the NEA than those we have checked.\nNEA program areas were designated as a \xe2\x80\x9cc\xe2\x80\x9d status where we determined that NEA has\nnot yet established the program area.\n\nThe FY2011 FISMA evaluation concluded that NEA\xe2\x80\x99s Office of Information and\nTechnology Management (ITM) have established a security program for protecting its\ninformation technology (IT) infrastructure and is generally compliant with FISMA\nlegislation, however improvements are needed. The most recent risk assessment\nidentified several areas which need to be addressed by NEA to strengthen its security\nprogram and increase its compliance with FISMA requirements, OMB policy and\napplicable NIST guidelines. Some of the issues are related to improvements in policies\nand procedures, documentation, system vulnerabilities and risk assessments performed by\nITM.\n\nWe determined that the following program areas met the level of performance specified\nby DHS\xe2\x80\x99s Fiscal Year 2011 FISMA checklist:\n\n   1.   Risk Management\n   2.   Configuration Management\n   3.   Incident Response and Reporting\n   4.   Security Training\n   5.   Identity and Access Management\n   6.   Continuous Monitoring Management\n   7.   Contractor Systems\n                                            4\n\x0cWe determined the following program areas were not fully effective as a result of the\nconditions identified that need improvement.\n\n       1. Remote Access Management\n       2. Plan of Action & Milestones (POA&Ms)\n       3. Contingency Planning\n\nWe determined that NEA does not have a program in place for the following:\n\n       Security Capital Planning\n\nDetails of our evaluation are presented in the following narrative.\n\nRisk Management\nOverall, NEA has established and is maintaining a risk management program that is\nconsistent with FISMA requirements, OMB policy and applicable NIST guidelines.\nHowever, some improvement opportunities have been identified. EmeSec Information\nAssurance (EmeSec) performed the latest risk assessment; the results of which were\nissued on September 23, 2011. The review concluded that while NEA has begun\nimplementing a consistently improving Security Program, \xe2\x80\x9cNEA would benefit from a\nprioritized approach that addresses some of the most significant compliance requirements\nas a means of reducing the compliance and potential security risk(s) faced by the NEA\nChairman, the CIO and the NEA-IG.\xe2\x80\x9d The assessment identified the following\nweaknesses:\n\n   1. Establish system ownership and security management that is consistent with NIST\n       requirements.\n   2. Formally categorize the General Support System (GSS).\n   3. Move the apps.NEA.gov server into a demilitarized zone (DMZ).\n   4. Fully implement FDCC.\n   5. Modify web application code to sanitize all user input.\n   6. Apply all security patches.\n   7. Update policies and/or develop separate procedure(s) in support of each policy\n       and specifics related to activities, task, and performances.\n   8. Update the System Security Plan (SSP) and the Certification & Accreditation\n       (C&A) package in the proper format.\n   9. Document the risks related to NEA Network System including showing those\n       risks that can be mitigated and those that cannot be mitigated.\n   10. Remove security policy and procedure development from the legal approval\n       process.\n   11. Conduct regular security assessments.\n   12. Some technical enhancements\n       \xe2\x80\xa2 use stronger passwords for all account\n       \xe2\x80\xa2 enable Administrator accounts on network printers\n                                             5\n\x0c       \xe2\x80\xa2   disable unnecessary ports and services\n       \xe2\x80\xa2   apply patches and hot-fixes on all servers and workstations\n       \xe2\x80\xa2   create unique administrator accounts for each administrator\n       \xe2\x80\xa2   upgrade unsupported operating systems.\n\nThe system vulnerability assessment identified 20 internal system vulnerabilities which\nwere categorized as critical and 363 vulnerabilities, both internal and external were\ncategorized as high risk. The report also identified several medium to low risk\nvulnerabilities.\n\nSubsequent to our evaluation, ITM included the weaknesses and vulnerabilities identified\nby the risk assessment in its Plan of Actions and Milestones (POA&Ms). In addition,\nITM recently implemented Nessus, a continuous monitoring tool which identifies network\nvulnerabilities.\n\nWe recommend that NEA implement corrective actions for recommendations in the Risk\nAssessment Report issued September 23, 2011 by EmeSec. The corrective actions\nshould address all of the recommended policy, administrative and technical\nimprovements including vulnerabilities identified. NEA should also use a prioritized\napproach based on the categorization of risk to implement corrective actions for system\nvulnerabilities.\n\nConfiguration Management\nNIST 800.53 (Rev.3) defines the configuration management plan as detailed processes\nand procedures for how configuration management is used to support system\ndevelopment life cycle activities at the information system level. The plan describes how\nto move a change through the change management process, how configuration settings\nand configuration baselines are updated, how the information system component\ninventory is maintained, how development, test, and operational environments are\ncontrolled, and finally, how documents are developed, released, and updated. The plan\nshould also define roles and responsibilities.\n\nDuring our review of NEA\xe2\x80\x99s configuration management program, we determined that\nNEA has established and is maintaining a security configuration management program.\nHowever, several areas of improvement were identified during the independent risk\nassessment and the FISMA evaluation. The assessment concluded that \xe2\x80\x9cNEA had no\ndetailed configuration management policy; no configuration control board\xe2\x80\x9d and was not\n\xe2\x80\x9cfully FDCC compliant.\xe2\x80\x9d\n\nOur review of NEA\xe2\x80\x99s Change Management Program determined that in some cases, the\nrequestor, reviewer and approver for changes to the system or software were the same\nperson. The independent risk assessment also indentified the same segregation of duties\nissue.\n\n\n                                            6\n\x0cWe recommend that NEA revise its change management policy to provide for adequate\nsegregation of duties. The policy should ensure that the request, review and approval for\npotential and/or actual changes to hardware or software are not performed and approved\nby the same staff person.\n\nIncident Response and Reporting\nDuring the FY 2010 FISMA evaluation, we identified several areas in need of\nimprovement in NEA\xe2\x80\x99s Computer Security Incident Reporting Program. We issued a\nreport, NEA\xe2\x80\x99s Control Over Computer-Related Equipment (Report No. R-11-02) which\ncontained eleven recommendations. The report also included seven recommendations by\nthe NEA Information System Security Officer (ISSO) to the CIO to address weaknesses\nfound in its program.\n\nAppendix III to OMB Circular A-130 states:\n\n       When faced with a security incident, an agency should be able to respond in a manner that\n       both protects its own information and helps to protect the information of others who might be\n       affected by the incident. To address this concern, agencies should establish formal incident\n       response mechanisms.\n\nAs of August 24, 2010, NEA had implemented corrective actions for seven of the\neleven OIG recommendations and for five of the seven ISSO recommendations.\nSubsequent to our evaluation, ITM informed us that corrective actions for three of\nthe remaining OIG recommendations have been implemented and awaiting\nmanagement concurrence.\n\nAlthough there are areas in need of improvement, NEA has established and is\nmaintaining an incident response and reporting program that is consistent with\nFISMA requirements, OMB policy and applicable NIST guidelines.\n\nWe recommend that NEA implement corrective actions for the remaining six\nrecommendations in Report No. R-11-02, NEA\xe2\x80\x99s Control over Computer-Related\nEquipment.\n\nSecurity Training\nNIST Special Publications 800-50, Building an Information Technology Security\nAwareness and Training Program and 800-16, Information Technology Security Training\nRequirements: A Role- and Performance-Based Model provide the standards for security\nawareness and training. NEA administered it FY 2011 Annual Refresher Training\nAugust 10, 2011.\n\nWe obtained and reviewed the FY 2011 IT Security and Privacy Awareness Refresher\ntraining materials and notification sent to employees by email. We determined that the\ndate of completion requirement, which was recommended by the OIG in the FY 2010\nFISMA evaluation, was included. However, we noted that while the training included\n\n                                                    7\n\x0creporting computer-related equipment theft, it did not include computer security incident\nand reporting as recommended and agreed to by ITM.\n\nAppendix III to OMB Circular A-130 states, in part:\n\n       Awareness and training for individuals with access to the system should include how to use\n       the system\xe2\x80\x99s incident response capability.\n\nWe also obtained and reviewed the list of employees who had completed the FY 2011\nsecurity awareness training and determined that 99% of the staff completed the training\n(165 completed, 1 did not complete).\n\nAlthough NEA has established and is maintaining a security training program we\nrecommend that ITM includes computer security incident and reporting in its annual\nsecurity awareness training in accordance with OMB Circular A-130.\n\nPlans of Action and Milestones (POA&Ms)\nOMB\xe2\x80\x99s instructions direct Inspectors General to review the status of the agency\xe2\x80\x99s\nPOA&Ms program. The program should be consistent with FISMA requirements, OMB\npolicy and applicable NIST guidelines and include written policies for managing security\nweaknesses. OMB Memorandum M-02-01 describes a POA&M as a corrective action\nplan, a tool that identifies tasks that need to be accomplished. It details resources\nrequired to accomplish the elements of the plan, any milestones in meeting the task and\nscheduled completion dates for the milestones. The purpose is to assist agencies in\nidentifying, assessing, prioritizing and monitoring the progress of corrective efforts for\nsecurity weaknesses found in programs and systems. The program should also include\nreports to the CIO, on a regular basis, at least quarterly, on the progress of remediation.\n\nThe independent risk assessment concluded that although NEA has an established\nPOA&M program, it is not being implemented consistently. The assessment stated that\nthe POA&Ms reviewed were \xe2\x80\x9cfrom the previous Office of Inspector General audit and\nnot accurate.\xe2\x80\x9d\n\nDuring our FY 2010 FISMA evaluation, we recommended areas of improvement for the\nPOA&Ms program. We recommended that ITM develop and implement written policies\nand procedures for its POA&Ms program consistent with FISMA requirements, OMB\npolicy and applicable NIST guidelines. We also recommended that the policy include\nprocedures for regular reporting on the progress of remediation to the CIO, at least\nquarterly. ITM developed the policy; however, it has not been consistently implemented.\nAs a repeated finding (FY 2008-2010 FISMA Evaluations), we believe NEA needs to\nmake significant improvements in its tracking and monitoring of information security\nweaknesses.\n\nWe recommend that ITM implement procedures for its POA&Ms program in accordance\nwith FISMA requirements, OMB policy and applicable NIST guidelines to accurately\n\n                                                    8\n\x0ctrack and monitor information security weaknesses consistently. ITM should also\ndocument notification to the CIO, at least quarterly, of remediation progress.\n\nRemote Access Management and\n Identity and Access Management\nNEA has established and is maintaining a program for remote access and identity and\naccess management. NEA has developed policies and procedures for its remote access\nand identity and access management programs. However, those policies are not\nconsistently implemented and several areas of improvement were identified during our\nreview.\n\nThe FY 2011 Risk Assessment recommended that the policies for Remote Access and\nAccess Control be incorporated to reduce the likelihood of inconsistent guidance and/or\nrequirements. The review also recommended that the policies should define roles and\nresponsibilities and ensure that defined technical requirements are FDCC compliant.\n\nDuring our review of the Remote Access Policy, we found that there was no requirement\nfor employees to complete authorization forms. We also found that the authorization\nforms were not available on the NEA Intranet Forms webpage and not all employees with\nremote access had completed and submitted forms to ITM. In addition, we requested the\nnames of employees who have remote access and authorizations on file. We determined\nfrom the information provided by ITM that of the 88 employees had remote access 39\nhad authorizations file.\n\nWe also found that NEA-owned cell phones (Blackberry) are maintained and issued\nthrough the NEA\xe2\x80\x99s Office of Administration. Therefore, ITM does not issue or maintain\nauthorization for remote access using these devices. The Blackberry is considered a\nconsumer device which has web-based remote access. NIST SP-800-46, Section 4.2\nstates, in part:\n\n       Given the similarity between the functions of consumer devices, particularly as they become more\n       advanced, and PCs, organizations should strongly consider treating them similar to, or the same as,\n       PCs. This means that organizational policies for PCs may simply be extended to consumer devices; if\n       the two policies are kept separate, the policy documents should heavily cross-reference each other.\n\n\n\nWe believe NEA needs to make significant improvements to its Remote Access Program.\nWe recommend that NEA implement corrective actions to address the following:\n\n    \xe2\x80\xa2 Recommendations of the FY 2011 Risk Assessment.\n    \xe2\x80\xa2 Revise its policy for Remote Access to include the requirement and procedures to\n      complete and submit authorization forms to ITM. Policies and procedures should\n      ensure that employees complete the process before remote access is granted.\n    \xe2\x80\xa2 Authorization forms should be made available to employees on the NEA Intranet\n      Forms webpage.\n\n                                                    9\n\x0c    \xe2\x80\xa2 Revise its Remote Access policy to include any consumer devices, such as phones\n      which provide remote access and ensure authorizations are maintained by ITM.\n\nContinuous Monitoring Management\nOMB\xe2\x80\x99s FY 2011 instructions states continuous monitoring programs and strategies\nshould address: (i) the effectiveness of deployed security controls; (ii) changes to\ninformation systems and the environments in which those systems operate; and (iii)\ncompliance to federal legislation, directives, policies, standards and guidance with regard\nto information security and risk management. Continuous monitoring of security controls\nis required as part of the security authorization process to ensure controls remain\neffective over time in the face of changing threats, missions, environments of operation,\nand technologies. A robust and effective continuous monitoring program will ensure\nimportant procedures included in an agency\xe2\x80\x99s security authorization package (e.g., as\ndescribed in system security plans, security assessment reports, and POA&Ms) are\nupdated as appropriate and contain the necessary information for authorizing officials to\nmake credible risk-based decisions regarding the security state of the information system\non an ongoing basis.\n\nThe FY 2011 risk assessment recommended that the policy for Continuous Monitoring\ncould be strengthened by defining roles and responsibilities and defining specific\ntimeframes/frequencies of tasks (i.e., daily, weekly monthly, quarter and/or at least\nannually).\n\nWe determined that NEA has established and implemented a continuous monitoring\nprogram which assesses the security state of information systems that is consistent with\nFISMA requirements, OMB policy and applicable NIST guidelines. However, we\nrecommend that NEA revise its Continuous Monitoring Policies to include the\nrecommendations of the risk assessment.\n\nContingency Planning\nNEA has established and is maintaining an enterprise-wide business continuity/disaster\nrecovery program that is consistent with the FISMA requirements, OMB policy and\napplicable NIST guidelines. However, the FY 2011 independent risk assessment\nrecommended that NEA develop a comprehensive Information System Contingency Plan\n(ISCP) based on NIST SP 800-34, Revision 1.\n\nAccording to NIST SP 800-34, Revision 1, the contingency plan is different from the\nContinuity of Operations Plan (COOP) and should define roles and responsibilities,\ndefine specific recovery time objectives, training, test planning and documenting testing\nresults. It further states that once the disaster recovery plan has successfully transferred\nan information system site to an alternate site, each affected system would then use its\nrespective ISCP to restore, recover, test systems, and put them into operation.\n\n\n                                             10\n\x0cWe recommend that NEA develop and implement written policies and procedures to\nensure that it establishes an Information System Contingency Plan in compliance with\nNIST SP 800-34 Revision1.\n\nContractor Systems\nOMB\xe2\x80\x99s FY 2011 FISMA instructions, states that \xe2\x80\x9ceach agency must ensure their\ncontractors are abiding by FISMA requirements. Section 3544(a)(1)(A)(ii) describes\nFederal agency security responsibilities as including information systems used or\noperated by an agency or by a contractor of an agency or other organization on behalf of\nan agency.\xe2\x80\x9d Therefore, Federal security requirements continue to apply and the agency is\nresponsible for ensuring appropriate security controls (see OMB Circular A-130,\nAppendix III). Agencies must develop policies for information security oversight of\ncontractors and other users with privileged access to Federal data. Agencies must also\nreview the security of other users with privileged access to Federal data and systems.\xe2\x80\x9d\n\nWe obtained and reviewed agreements, including Interconnection Security Agreements\nand Memoranda of Understanding (MOU) with NEA\xe2\x80\x99s service providers. We found that\nthere were agreements in place for all interconnected providers, except the service\nprovider Xecu.net which houses NEA\xe2\x80\x99s backup systems.\n\nWe determined that overall NEA has established and maintains a program to oversee\nsystems operated on its behalf by contractors or other entities. However, we recommend\nthat NEA immediately execute an MOU and/or interconnectivity agreement with\nXecu.net, as required by FISMA requirements, OMB policy and applicable NIST\nguidelines.\n\n                            Financial Management System\n\nNEA has an agreement with the U.S. Department of Transportation (DOT) to utilize the\nEnterprise Service Center\xe2\x80\x99s (ESC) Oracle Federal Financial System, Delphi, as their\nfinancial management system.\n\nOMB requires that such service organizations provide client agencies with an\nindependent report describing system controls. To comply with this requirement, DOT\nOIG hired an independent contractor, Clifton Gunderson, LLP, to conduct a review on\nthe computer controls over the information technology and data processing environment,\nas well as the input process, and output controls built into the Delphi system, which is\nused by multiple Federal agencies.\n\nThe audit concluded that management\xe2\x80\x99s description fairly presents, in all material\nrespects, the ESC\xe2\x80\x99s system was \xe2\x80\x9cdesigned and implemented throughout the period\nOctober 1, 2010 to June 30, 2011.\xe2\x80\x9d In addition, the report, dated August 1, 2011, stated\nthat \xe2\x80\x9ccontrols are suitably designed to provide reasonable assurance that the control\nobjectives would be achieved if the controls operated effectively throughout the period.\xe2\x80\x9d\n\n\n                                           11\n\x0c                                               Payroll System\n\nNEA uses the U.S. Department of Agriculture (USDA) National Finance Center (NFC)\nas its payroll provider. In September 2011, the USDA OIG issued its Statement on\nStandards for Attestation Engagements No. 16 Report on Controls at the National\nFinance Center. 1 The review concluded that the NFC\xe2\x80\x99s \xe2\x80\x9cdescription fairly presents NFC\npayroll/personnel processing and application hosting systems that were designed and\nimplemented throughout the period from October 1, 2010, to July 31, 2011.\xe2\x80\x9d Also, in\ntheir opinion, \xe2\x80\x9cthe controls included in the description were suitably designed and\noperating effectively to provide reasonable assurance that the associated control\nobjectives would be achieved.\xe2\x80\x9d There were no recommendations in the report.\n\nSecurity Capital Planning\n\nCapital Planning and Investment Control Process, as defined in OMB Circular A-139,\n(6)(c))\xe2\x80\x9d is a management process for ongoing identification, selection, control, and\nevaluation of investments in information resources. The process links budget formulation\nand execution, and is focused on agency missions and achieving specific program\noutcomes.\xe2\x80\x9d The FY 2011 FISMA instruction lists the following attributes for an\nestablished program that is established and maintained:\n\n    \xe2\x80\xa2    Documented policies and procedures to address information security in the capital\n         planning and investment control process.\n    \xe2\x80\xa2    Includes information security requirements as part of the capital planning and\n         investment process\n    \xe2\x80\xa2    Establishes a discrete line item for information security in organizational\n         programming and documentation\n    \xe2\x80\xa2    Employs a business case/Exhibit 300/Exhibit 53 to record information security\n         resources required\n    \xe2\x80\xa2    Ensures information security resources are available for expenditure as planned\n\nNEA does not have a capital planning and investment control process program.\n\nWe recommend NEA establish and maintain a security capital planning and investment\ncontrol process program for information security. The program should include written\npolicies and procedures to ensure that the program is in compliance with FISMA\nrequirements, OMB policy and applicable NIST guidelines.\n\nPrivacy Reporting and Privacy Impact Assessment\n\nThe FY 2011 FISMA guidance included additional questions on security and privacy\npolicies, which requires agencies to submit information on privacy issue allegations,\npolicies and the types of privacy reviews ITM conducted.\n\n1\n The Statement on Standards for Attestation Engagements (SSAE) 16 reports replaced the SAS 70 reports for periods\nending on or after June 15, 2011.\n                                                       12\n\x0cITM\xe2\x80\x99s review of personally identifiable information (PII) holdings determined that (1)\nNEA collects only PII that is relevant and necessary for administrative purposes and (2)\nthere are adequate administrative, technical and physical safeguards in place for the PII\ncollected. NEA does not use Social Security Numbers (SSNs), truncated SSNs, or any\npart of SSNs as tracking numbers for its applications, grants, cooperative agreements or\ncontracts. NEA does not share PII with outside agencies other than for processing\npayments. ITM indicated there have been no reported breaches or security incidents\ninvolving PII collected or maintained by the Agency. Therefore NEA is not required to\nconduct privacy information assessments (PIA).\n\nFY 2011 OMB guidance states that \xe2\x80\x9calthough neither Section 208 of the E-Government\nAct, nor OMB's implementing guidance mandate agencies conduct PIAs on electronic\nsystems containing information about Federal employees (including contractors), OMB\nencourages agencies to scrutinize their internal business processes and the handling of\nidentifiable information about employees to the same extent they scrutinize processes and\ninformation handling procedures involving information collected from or about members\nof the public (OMB Memorandum 03-22, Section II.B.3.a).\xe2\x80\x9d\n\nEmeSec reviewed the NEA PIA policy and offered the following assessment:\n\n\xe2\x80\xa2   The document does not trace via flow the transport of PII data through the NEA\n    General Support System.\n\n\xe2\x80\xa2   It does have the portion regarding what is submitted may be collected but it shows no\n    discussion on whether the stored PII is encrypted, once collected.\n\nWe recommend that NEA revises its PIA policy to address the above assessment and\nensure compliance with FISMA requirements, OMB policy and applicable NIST\nguidelines.\n.\n                             EXIT CONFERENCE\nWe provided a draft copy of this report to ITM officials on November 14, 2011. The\nofficials generally concurred with our findings and recommendations and agreed to\ninitiate corrective actions.\n                           RECOMMENDATIONS\nWe recommend that the National Endowment for the Arts, Office of Information and\nTechnology Management:\n\n    1. Implement corrective actions for recommendations in the Risk Assessment Report\n       issued September 23, 2011 by EmeSec. The corrective actions should address all\n       of the recommended policy, administrative and technical improvements including\n       vulnerabilities identified. NEA should also use a prioritized approach based on\n\n                                            13\n\x0c   the categorization of risk to implement corrective actions for system\n   vulnerabilities.\n\n2. Revise its change management policy to provide for adequate segregation of\n   duties. The policy should ensure that the request, review and approval for\n   potential and/or actual changes to hardware or software are not performed and\n   signed off by the same staff person.\n3. Implement corrective actions for the remaining six recommendations in\n   Report No. R-11-02, NEA\xe2\x80\x99s Control over Computer-Related Equipment.\n\n4. Include computer incident and reporting in its annual security awareness training.\n\n5. Implement procedures for its POA&Ms program in accordance with NIST, OMB\n   and FISMA requirements to accurately track and monitor information security\n   weaknesses consistently.\n\n6. Document notification to the CIO, at least quarterly, of remediation progress of its\n   POA&M program.\n\n7. Implement corrective actions to address the following recommendations for its\n   Remote Access program:\n\n   \xe2\x80\xa2   Recommendations of the FY 2011 Risk Assessment.\n   \xe2\x80\xa2   Revise its policy for Remote Access to include the requirement and\n       procedures to complete and submit authorization forms to ITM. Policies and\n       procedures should ensure that employees complete the process before remote\n       access is granted.\n   \xe2\x80\xa2   Authorization forms should be made available to employees on the NEA\n       Intranet Forms webpage.\n   \xe2\x80\xa2   Revise its Remote Access policy to include any consumer devices, such as\n       phones which provide remote access and ensure authorizations are maintained\n       by ITM.\n\n8. Develop and implement written policies and procedures to ensure that it\n   establishes an Information System Contingency Plan in compliance with NIST SP\n   800-34, Revision1.\n\n9. Execute an MOU and/or interconnectivity agreement with Xecu.net, as required\n   by FISMA requirements, OMB policy and applicable NIST guidelines.\n\n10. Establish and maintain a security capital planning and investment control process\n    program for information security. The program should include written policies\n    and procedures to ensure that the program is in compliance with OMB, FISMA\n    and NIST guidelines.\n\n\n                                        14\n\x0c11. Revise its PIA policy to address EmeSec\xe2\x80\x99s assessment and ensure compliance\n    with FISMA requirements, OMB policy and applicable NIST guidelines.\n\n\n\n\n                                      15\n\x0c"